Job vs. Media Pool Encryption

Everything about backing up to tape

Job vs. Media Pool Encryption

Veeam Logoby Vejete » Wed May 03, 2017 6:28 pm

Greetings! I've searched the forums but did not turn up an answer, and I'd like a sanity check if possible.

If I have encryption enabled within a backup copy job and also as a property of the tape media pool I'm using for that job, I get hardware compression at the tape drive only, right? I'm assuming that in this scenario, the job option for (software) encryption is ignored.

Thanks for your time and advice.
=====
Jim Turner, VMCE
Master Technologist & BURA Evangelist
Hewlett Packard Enterprise
Vejete
Technology Partner
 
Posts: 16
Liked: 1 time
Joined: Thu Apr 06, 2017 6:23 pm
Location: Edmond, OK
Full Name: Jim Turner

Re: Job vs. Media Pool Encryption

Veeam Logoby foggy » Thu May 04, 2017 11:11 am

Hi Jim, if encryption is enabled both in the backup copy job and media pool, data on tape will be encrypted twice. Hardware encryption, however, has a higher priority, Veeam B&R will disable its software encryption if hardware encryption is enabled for the tape device.
foggy
Veeam Software
 
Posts: 15272
Liked: 1131 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Job vs. Media Pool Encryption

Veeam Logoby Vejete » Thu May 04, 2017 3:47 pm

Thanks foggy, but I thought it would only be encrypted twice if the original backup job had encrypted the backup file on disk. If you then copy that (encrypted) backup file to tape with encryption enabled, yes, it will be doubly encrypted.

Let me reword my original question.
1. Backup file on disk has no encryption.
2. Backup COPY job has encryption enabled.
3. Tape media pool being used by the copy job also has encryption enabled.
4. In this case, I presume that Veeam software encryption at the job level will be ignored because hardware compression at the tape drive takes priority.

Correct or not?
=====
Jim Turner, VMCE
Master Technologist & BURA Evangelist
Hewlett Packard Enterprise
Vejete
Technology Partner
 
Posts: 16
Liked: 1 time
Joined: Thu Apr 06, 2017 6:23 pm
Location: Edmond, OK
Full Name: Jim Turner

Re: Job vs. Media Pool Encryption

Veeam Logoby v.Eremin » Fri May 05, 2017 12:41 pm

Nope, if backup copy job with encryption enabled is a source pf backup to tape job that is pointed to media pool with encryption enabled, a data will be encrypted twice.
v.Eremin
Veeam Software
 
Posts: 13701
Liked: 1020 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Job vs. Media Pool Encryption

Veeam Logoby Vejete » Fri May 05, 2017 8:57 pm

Okay, I think I get it now.

Image

The highlighted notation above is relevant only to the tape drive and media pool and will have no effect on the job that uses the media pool. So for the media pool (and drives) alone, what the notation is saying is that if the tape drive is incapable of providing hardware-based encryption, Veeam will step in and provide its own software encryption at (I presume) the tape server. But as you all have stated, we would be double-encrypting data because the stream was already encrypted at the source by the backup copy job since we enabled encryption in the advanced settings of the backup copy job.

The wording is very important here, and I think this is one of the things that gave me grief on the VMCE exam.

Thank you all kindly for your guidance and feedback. Much appreciated!
=====
Jim Turner, VMCE
Master Technologist & BURA Evangelist
Hewlett Packard Enterprise
Vejete
Technology Partner
 
Posts: 16
Liked: 1 time
Joined: Thu Apr 06, 2017 6:23 pm
Location: Edmond, OK
Full Name: Jim Turner

Re: Job vs. Media Pool Encryption

Veeam Logoby v.Eremin » Mon May 08, 2017 2:21 pm

what the notation is saying is that if the tape drive is incapable of providing hardware-based encryption, Veeam will step in and provide its own software encryption at (I presume) the tape server

Correct.
v.Eremin
Veeam Software
 
Posts: 13701
Liked: 1020 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: Job vs. Media Pool Encryption

Veeam Logoby Vejete » Mon May 15, 2017 11:13 pm

Spending some time in a Veeam lab now, and I believe I've discovered a fundamental misunderstanding on my part.

When I create a media pool, there is as we see an option to enable encryption and provide a password.

Image

Any copy to tape job that writes to media in that pool will result in the copy on tape being encrypted - either by tape drive HW encryption or Veeam software encryption if the drive is incapable of HW encryption. I'm good there.

My eureka moment came when I went back and looked at every aspect of a copy to tape job. Know what I didn't find? Any place in the tape job to enable encryption and set a password.

So in essence, my original question was faulty. The only encryption option in the whole copy to tape process flow lies within the properties of the target media pool being used.

Now, referring back to one of the previous answers, yes, I do understand that:
  1. IF the source vbk was encrypted by a backup (or backup copy) job,
  2. AND the subsequent copy to tape job writes that encrypted vbk to a media pool with encryption enabled,
  3. THEN you will need both the tape media password and the backup job password to restore from tape because the data on tape is doubly encrypted.
Thank you everyone for your kind assistance. I apologize for my noob questions. Even though I have 20 years of BURA experience (DP, NBU, TSM, CV, etc.), I've so little stick time with Veeam that it's taking a bit to ferret-out features and how they integrate.
=====
Jim Turner, VMCE
Master Technologist & BURA Evangelist
Hewlett Packard Enterprise
Vejete
Technology Partner
 
Posts: 16
Liked: 1 time
Joined: Thu Apr 06, 2017 6:23 pm
Location: Edmond, OK
Full Name: Jim Turner

Re: Job vs. Media Pool Encryption

Veeam Logoby haslund » Tue May 23, 2017 9:21 pm

Notice how the first screen is of a Backup Server connected to Veeam Backup Enterprise Manager and the second one is not.
Rasmus Haslund
Principal Technologist, Global Education Services @ Veeam Software
Veeam Certified Architect #1 | Veeam Certified Trainer #4 [v7,v8,v9] | Veeam Certified Trainer Mentor #1
Twitter: @haslund
Blog: www.perfectcloud.org
haslund
Veeam Software
 
Posts: 279
Liked: 52 times
Joined: Thu Feb 16, 2012 7:35 am
Location: Denmark
Full Name: Rasmus Haslund

Re: Job vs. Media Pool Encryption

Veeam Logoby Vejete » Wed May 24, 2017 5:26 am

Yes, I pulled the screenshots from two different environments days apart. The presence or absence of Enterprise Manager was incidental and not germane to the question at hand. Nice catch, though. :-)
=====
Jim Turner, VMCE
Master Technologist & BURA Evangelist
Hewlett Packard Enterprise
Vejete
Technology Partner
 
Posts: 16
Liked: 1 time
Joined: Thu Apr 06, 2017 6:23 pm
Location: Edmond, OK
Full Name: Jim Turner


Return to Tape



Who is online

Users browsing this forum: Google [Bot] and 3 guests